Build trust with Privacy in 2024

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that sets out rules and guidelines for the processing and protection of personal data within the European Union. It grants individuals greater control over their personal information, imposes obligations on organisations handling data, and aims to ensure a high level of privacy and security for individuals' data.

The GDPR establishes principles for lawful and transparent data processing, consent requirements and rights for individuals to access and control their data. It introduces significant penalties for non-compliance, aiming to foster a more responsible and privacy-centric approach to data management in the digital age.

The California Consumer Privacy Act (CCPA) of 2018 is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. Considered one of the strictest privacy laws in the United States, this law sets a new standard for privacy rights in California. 

CPRA is the revised version of CCPA, so you’ll hear it referred to as CCPA 2.0, CPRA or CCPA version 2.

No, there are differences. Regulations like GDPR compliance are mandatory obligations that apply if your data processing activities meet the criteria of the regulation. The regulation sets out the detailed compliance requirements. If you operate in accordance with those requirements, you are compliant, regardless of whether you issue an attestation report. 

An attestation report is used to provide third parties with evidence of your compliance with an independent audit that earns and maintains trust. That’s especially important where your customers rely on your compliance for their compliance, eg. If they are using your software or services with the personal data of their customers. 

Many global privacy regulations may apply to your data processing activities.

For regulations like the GDPR, Australian Privacy Principles and New Zealand Privacy Act, there is no materiality level applied. That means you need to comply with the regulations if you collect any personal data from citizens of the EU, Australia or New Zealand respectively.

Regulations like the California Privacy Act (CCPA/CPRA) and several other American state-specific regulations, there is a materiality level applied to the scale of data collected and in some cases the company turnover and whether the sale of personal data is conducted.

The International Association of Privacy Professionals (IAPP) has some great resources to guide you on your requirements, including this helpful mapping of global regulations.

It is common to engage legal counsel to interpret the requirements of the regulation and how they apply to your data processing activities and operations. However, this is not required by the regulation itself. Many organisations, especially with a simpler or smaller scope of handling personal data can often follow the principles and requirements of the regulation without needing legal counsel.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes to satisfy the relevant privacy regulatory clauses.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period between 3-12 months to show your systems and processes have been operated consistently to satisfy the relevant privacy regulatory clauses.

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually.

Regulations like the GDPR and other similar privacy rights and acts are based on principles. That provides flexibility and room for judgment when it comes to applying those regulations. It recognises that there is subjectivity and varied circumstances that apply when handling personal data. 

The articles of the GDPR and other privacy regulations give more specific guidance and some hard requirements driven by those overarching principles designed to protect consumer’s interests.

We developed PolicyTree to address the challenge of defining and documenting compliance policies. PolicyTree collects data points about the privacy regulations that apply, your data processing activities and systems and what’s relevant to your privacy practices. You select the components that apply and input details related to your preferences or current state of operation to generate a set of policies, including a Privacy Statement and Privacy Policy document. This links through to the relevant acts and clauses from 16 privacy regulations including the GDPR.